ROLE (System Boot) and MODIFY_ATTRIBUTE problems
<sftf <at> yandex.ru>
2006-03-08 13:37:52 GMT
In a init script mountfs I've added commands for setup proc virtual filesystem access:
acl_grant ROLE 999999 RW FD /proc
acl_grant ROLE 10 RW FD /proc/kmsg
where 999999 == System Boot ROLE and 10 == ROLE for syslog-ng.
This script executed with System Boot ROLE.
All works as well as it was supposed with this but...
ROLE System Boot has no MODIFY_ATTRIBUTE on General_FD type!
And nevertheless this script changes RSBAC ACL attributes somehow...
Even "clean" (with no rsbac.dat) system allows a System Boot role
to change these RSBAC attributes.
I think that without MODIFY_ATTRIBUTE, role should not have an
ability to change any RSBAC attributes.
linux 22.214.171.124, RSBAC 1.3.0pre1,
system has no ROLE with MODIFY_ATTRIBUTE except Role_Admin,
all files has General_FD type,
ACL FD :DEFAULT: for USER_0 (root) has no MODIFY_ATTRIBUTE,
ACL FD :DEFAULT: has no entry for ROLE_999999 (System Boot).
Active modules: UM,ACL,RC,CAP.
Thanks a lot!
sftf mailto:sftf <at> yandex.ru